You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2015/04/01 22:22:19 UTC
ambari git commit: AMBARI-10266. Cannot enable kerberos with Ambari
server running non-root (rlevas)
Repository: ambari
Updated Branches:
refs/heads/trunk 759edd4d3 -> e22b67103
AMBARI-10266. Cannot enable kerberos with Ambari server running non-root (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/e22b6710
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/e22b6710
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/e22b6710
Branch: refs/heads/trunk
Commit: e22b671035bcaa026f2ce5c3b77e1d49b3c74c73
Parents: 759edd4
Author: Robert Levas <rl...@hortonworks.com>
Authored: Wed Apr 1 16:21:34 2015 -0400
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Wed Apr 1 16:21:34 2015 -0400
----------------------------------------------------------------------
ambari-server/conf/unix/ambari.properties | 2 +-
ambari-server/conf/windows/ambari.properties | 2 +-
.../kerberos/CreateKeytabFilesServerAction.java | 23 +++--
.../CreateKeytabFilesServerActionTest.java | 91 ++++++++++++++++++++
4 files changed, 109 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/e22b6710/ambari-server/conf/unix/ambari.properties
----------------------------------------------------------------------
diff --git a/ambari-server/conf/unix/ambari.properties b/ambari-server/conf/unix/ambari.properties
index 44aea5c..eee3bb2 100644
--- a/ambari-server/conf/unix/ambari.properties
+++ b/ambari-server/conf/unix/ambari.properties
@@ -48,7 +48,7 @@ bootstrap.script=/usr/lib/python2.6/site-packages/ambari_server/bootstrap.py
bootstrap.setup_agent.script=/usr/lib/python2.6/site-packages/ambari_server/setupAgent.py
recommendations.dir=/var/run/ambari-server/stack-recommendations
stackadvisor.script=/var/lib/ambari-server/resources/scripts/stack_advisor.py
-server.tmp.dir=/var/lib/ambari-server/tmp
+server.tmp.dir=/var/lib/ambari-server/data/tmp
ambari.python.wrap=ambari-python-wrap
api.authenticate=true
http://git-wip-us.apache.org/repos/asf/ambari/blob/e22b6710/ambari-server/conf/windows/ambari.properties
----------------------------------------------------------------------
diff --git a/ambari-server/conf/windows/ambari.properties b/ambari-server/conf/windows/ambari.properties
index cfe9c3d..d0fb6dd 100644
--- a/ambari-server/conf/windows/ambari.properties
+++ b/ambari-server/conf/windows/ambari.properties
@@ -55,7 +55,7 @@ kerberos.keytab.cache.dir = data\\cache
recommendations.dir=\\var\\run\\ambari-server\\stack-recommendations
stackadvisor.script=resources\\scripts\\stack_advisor.py
-server.tmp.dir=\\var\\run\\ambari-server\\tmp
+server.tmp.dir=\\var\\run\\ambari-server\\data\\tmp
views.dir=resources\\views
ambari.python.wrap=python.exe
http://git-wip-us.apache.org/repos/asf/ambari/blob/e22b6710/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java
index a1ff364..5e8b451 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerAction.java
@@ -353,7 +353,6 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction {
try {
keytab.write(cachedKeytabFile);
- ensureAmbariOnlyAccess(cachedKeytabFile);
} catch (IOException e) {
String message = String.format("Failed to write the keytab for %s to the cache location (%s)",
principal, cachedKeytabFile.getAbsolutePath());
@@ -361,6 +360,8 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction {
throw new AmbariException(message, e);
}
+ ensureAmbariOnlyAccess(cachedKeytabFile);
+
return cachedKeytabFile;
}
@@ -370,23 +371,31 @@ public class CreateKeytabFilesServerAction extends KerberosServerAction {
*
* @param file the file or directory for which to modify access
*/
- private void ensureAmbariOnlyAccess(File file) {
+ protected void ensureAmbariOnlyAccess(File file) throws AmbariException {
if (file.exists()) {
if (!file.setReadable(false, false) || !file.setReadable(true, true)) {
- LOG.warn(String.format("Failed to set %s readable only by Ambari", file.getAbsolutePath()));
+ String message = String.format("Failed to set %s readable only by Ambari", file.getAbsolutePath());
+ LOG.warn(message);
+ throw new AmbariException(message);
}
if (!file.setWritable(false, false) || !file.setWritable(true, true)) {
- LOG.warn(String.format("Failed to set %s writable only by Ambari", file.getAbsolutePath()));
+ String message = String.format("Failed to set %s writable only by Ambari", file.getAbsolutePath());
+ LOG.warn(message);
+ throw new AmbariException(message);
}
if (file.isDirectory()) {
- if (!file.setExecutable(false, false) && !file.setExecutable(true, true)) {
- LOG.warn(String.format("Failed to set %s executable by Ambari", file.getAbsolutePath()));
+ if (!file.setExecutable(false, false) || !file.setExecutable(true, true)) {
+ String message = String.format("Failed to set %s executable by Ambari", file.getAbsolutePath());
+ LOG.warn(message);
+ throw new AmbariException(message);
}
} else {
if (!file.setExecutable(false, false)) {
- LOG.warn(String.format("Failed to set %s not executable", file.getAbsolutePath()));
+ String message = String.format("Failed to set %s not executable", file.getAbsolutePath());
+ LOG.warn(message);
+ throw new AmbariException(message);
}
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/e22b6710/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerActionTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerActionTest.java b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerActionTest.java
new file mode 100644
index 0000000..d2252a9
--- /dev/null
+++ b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/CreateKeytabFilesServerActionTest.java
@@ -0,0 +1,91 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.serveraction.kerberos;
+
+import junit.framework.Assert;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+
+import java.io.File;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.nio.file.attribute.PosixFilePermission;
+import java.util.Set;
+
+public class CreateKeytabFilesServerActionTest {
+
+ @Rule
+ public TemporaryFolder testFolder = new TemporaryFolder();
+
+ @Test
+ public void testEnsureAmbariOnlyAccess() throws Exception {
+ Path path;
+ Set<PosixFilePermission> permissions;
+
+ File directory = testFolder.newFolder();
+ Assert.assertNotNull(directory);
+
+ new CreateKeytabFilesServerAction().ensureAmbariOnlyAccess(directory);
+
+ // The directory is expected to have the following permissions: rwx------ (700)
+ path = Paths.get(directory.getAbsolutePath());
+ Assert.assertNotNull(path);
+
+ permissions = Files.getPosixFilePermissions(path);
+ Assert.assertNotNull(permissions);
+
+ Assert.assertNotNull(permissions);
+ Assert.assertEquals(3, permissions.size());
+ Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_READ));
+ Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_WRITE));
+ Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_EXECUTE));
+ Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_READ));
+ Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_WRITE));
+ Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_EXECUTE));
+ Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_READ));
+ Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_WRITE));
+ Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_EXECUTE));
+
+ File file = File.createTempFile("temp_", "", directory);
+ Assert.assertNotNull(file);
+ Assert.assertTrue(file.exists());
+
+ new CreateKeytabFilesServerAction().ensureAmbariOnlyAccess(file);
+
+ // The file is expected to have the following permissions: rw------- (600)
+ path = Paths.get(file.getAbsolutePath());
+ Assert.assertNotNull(path);
+
+ permissions = Files.getPosixFilePermissions(path);
+ Assert.assertNotNull(permissions);
+
+ Assert.assertEquals(2, permissions.size());
+ Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_READ));
+ Assert.assertTrue(permissions.contains(PosixFilePermission.OWNER_WRITE));
+ Assert.assertFalse(permissions.contains(PosixFilePermission.OWNER_EXECUTE));
+ Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_READ));
+ Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_WRITE));
+ Assert.assertFalse(permissions.contains(PosixFilePermission.GROUP_EXECUTE));
+ Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_READ));
+ Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_WRITE));
+ Assert.assertFalse(permissions.contains(PosixFilePermission.OTHERS_EXECUTE));
+ }
+}
\ No newline at end of file